STE WILLIAMS

Roundup This week, we saw Linux get pwned, a teen hacker go down, and Julian Assange vowing to stay right where he is.

But that wasn’t the only news to hit over the week.

Oh look, it’s yet another SystemD vulnerability

Linux boot management tool SystemD is once again getting the wrong kind of attention as researchers have spotted another security vulnerability.

This time, it is an elevation of privilege vulnerability that would potentially let users execute system commands they would otherwise not be authorized to perform.

Fortunately, there are some mitigating factors in this case. Mainly, being able to exploit the vulnerability with a new user account would need superuser clearance. At that point, you wouldn’t have much need for the exploit. Still it would be a good idea to patch this one as soon as possible.

The bug has been designated CVE-2018-19788.

Congress pitches tougher data breach, security training laws

A pair of efforts in Washington DC are aiming to improve information security in the government.

First, there is Senator Mark Warner (D-VA) who is pointing to the recent Marriott hotel breach as proof that we need a new set of federal data breach regulations. From Warner:

“We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

Then, there’s a bipartisan bill in the House that would beef up government support for cybersecurity training.

That bill (PDF), floated by Reps. Jim Langevin (D-RI) and Glenn Thompson (R-PA) would create a new Department of Education grant program focused on training students in the basics of infosec with the hope that they would eventually put those skills to work in the public and private sectors.

Leaking… leaking never changes

As if Bethesda’s rollout of Fallout 76 wasn’t going badly enough.

Now comes the news that the games company’s efforts to replace a premium tote bag some users got with their pre-orders has resulted in the exposure of their personal details and payment card information.

A user reported that, due to a glitch in Bethesda’s support site, she was receiving all of the tickets from other customers. Those tickets included the information they had sent to prove their purchase and claim their replacement bags, things like addresses and credit card information.

Fortunately, rather than do anything evil, the user reported the matter and Bethesda was able to clear everything up before any nefarious activity (that we know of) occurred.

Now, if they could do something about the lousy gameplay…

IRS fires up tax-season fraud alerts

With the end of the year rapidly approaching, workers around the US will soon be getting their tax information, and the IRS is already starting to issue warnings on how to avoid being duped.

The US tax collector says it is already seeing scammers attempting to trick users into turning over personal information.

Avoiding these scams meaning taking some basic security steps: Don’t trust unsolicitied emails (the IRS sends its official notices by snail-mail) and don’t follow any hyperlinks or open strange attachments. Most of all, don’t hand personal details over to any person or site unless you are absolutely sure of their authenticity.

Reg readers know most of these things already, but it’s worth passing along to friends and family members who are less tech-savvy.

Wechat ransomware runs amok in China

A massive ransomware outbreak is spreading in China, locking up the machines of tens of thousands of users.

The malware, interestingly enough, does not ask for its payout in bitcoin or other cryptocurrencies, but rather in the form of cash transfers from China’s WeChat pay service. So far, it is estimated that more than 100,000 machines have been hit by the infection.

Considering that the outbreak is concentrated in China, the decision not to use cryptocoins for payment makes sense, as Bitcoin and other currencies are not allowed to be exchanged or traded in the Middle Kingdom. If this infection was the work of a local hacker, it would make sense that another form of payment was used.

Cozybear creeps launch new offensive

Microsoft is sounding the alarm over a new wave of attacks from an APT known as ‘Cozybear’.

Redmond says the group appears to be mounting a large-scale attack on public-sector, non-profit, and private companies that all operate within the oil, gas and hospitality industries.

The attacks themselves are not particularly remarkable; the attackers use spear-phishing campaigns to try and infect their targets with poisoned PDF files that then install spyware and botnet controllers on the infected machines.

What does have Microsoft concerned, however, is the massive scale of the attack on companies around the US, as well as some of the tell-tale signs that Redmond says point to a state-sponsored campaign.

“Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations,” Redmond said of the operation.

Seattle stalker sees slammer

A 39 year-old man from Seattle, WA will be spending the next 20 months behind bars for a particularly gross string of cyberstalking incidents.

Joel Kurzynski admitted to conducting two cyberstalking campaigns that included prolonged harassment, death threats, and other scumbaggery. Among the claims made against Kurzynski was that he signed one person up for “fake dating profiles wherein Kurzynski portrayed Victim 1 as seeking sadomasochistic or underage relationships. These profiles contained photographs of Victim 1 and his contact information, resulting in solicitations and harassing messages directed toward Victim 1 from multiple strangers.”

In another case, Kurzynski was said to have signed a victim up for multiple weight-loss and suicide prevention programs with the aim of flooding the target with calls and correspondence from those groups.

This escalated to death threats, according to the DOJ, who recounted that “one threat claimed that he was waiting for her in the lobby, and another that said, “Looking forward to seeing you today and how much you bleed. Don’t go to the bathroom alone’.”

It sounds like, for the next 20 months at least, the internet will be a slightly better place. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/08/security_roundup_081218/

The Linux.org domain was hijacked on Friday morning, with the hacker plastering the message “G3T 0WNED L1NUX N3RDZ” complete with expletives and a very NSFW image (a hairy asshole).

The real administrator of the site, Mike McLagan, immediately ‘fessed up on Reddit, and said the vandal had managed to break into his partner’s Network Solutions registrar account and switch Linux.org DNS servers to their own site.

“This evening someone got into my partner’s netsol account and pointed linux.org DNS to their own cloudflare account,” McLagan wrote, adding: “The production env (web / db) wasn’t touched. DNS was simply pointing to another box.”

He was posting, he said, so Linux.org users would know “that the actual linux.org servers were untouched and no data was leaked.”

That series of events was confirmed by a screenshot posted by the hacker themselves on a new Twitter account – @kitlol5 – which showed them inside Michelle McLagan’s account with access to a series of domains including linuxonline.com, linuxhq.com, McLagan’s personal dot-com and, of course, linux.org. The hacker took them all down.

It’s not clear what drove the hacking effort although Linux.org did recently change management, delete its content and users and force people to re-register: Something that was not a hugely popular move.

As for how it was hacked, McLagan blames the public Whois displaying his partner’s email address – presumably the hacker worked their way into the Yahoo! email account listed as the admin of the site and from there requested a password change in her Network Solutions account to gain access to the domain.

So, um, security

McLagan also put the blame on himself for not having added multi-factor authentication. One Reddit poster castigated him: “It’s 2018, there’s really no excuse to not have already been doing so.” He replied: “I agree.”

In the meantime, the vandal was having fun with the site, linking to a story about Linus Torvalds taking time off to deal with anger issues and noting that the Linux kernel now has a code of conduct.

The miscreant then decided to take offense at the existence of transgender Linux developer Coraline Ada Ehmke, posting an article to an alt-right website slamming her, and then posting her personal details including email and home addresses.

But finally, at around 0300 GMT – after three-and-a-hour hours of ring-piece vandalism – the Linux.org owners managed to get the site redirected.

As of the time of writing, the site is still down. Presumably, once McLagan and his partner have proved their credentials they will be able to redirect the websites and once propagated they – and Linux.org – will reappear.

Lesson to be taken from all this: put multi-factor authentication on your registrar account. It’s also another sign that the changes forced onto the Whois by European GDPR data laws – where private detail is currently hidden – may actually be beneficial to many internet users. It may make sense for people to take this opportunity to change their domain contact email addresses so old Whois records are no longer accurate. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/linuxorg_hacked/

Next time you’re closing a big drug deal you may want to watch the cleaner. Or more specifically their vacuum cleaner.

That’s right, because thanks to publicly available federal acquisition records we now know that America’s Drug Enforcement Agency (DEA) has planted cameras in cleaners. Canon cameras in Shop-Vacs appear to be the latest tool in the drug war.

To be fair, we don’t known it’s a Shop-Vac for certain because like the brand “Hoover,” “Shop-Vac” has become a generic term for a heavy-duty vacuum cleaner. The DEA could be planting surveillance equipment in a Rigid, a Craftsman or even a Stanley. What we do know for sure is that is a Canon M50B.

And we know that because it lists “custom shop vac concealment with Canon M50B” in the contract, dated November 28.

It’s a good choice: The Canon VB-M50B is a network camera so video can be live-streamed – presumably to agents parked in a van nearby – and it has a very large aperture ratio, meaning that you get good color and clarity out of it even in low-light situations.

It has a pretty good 88.5mm zoom so it can pan, tilt and pick out details from some distance away – maybe 50-100 feet. Not quite zoom-and-enhance territory but good enough it seems. And the camera has object detection built in. If you were going to install any surveillance camera inside a vacuum cleaner, this would be the one.

The contract is for $42,595. Even a top-of-the-range Shop-Vac will only set you back a few hundred bucks but the Canon is a high-end bit of kit costing $3,400. So guessing that the company building the machines – Special Services Group, based in Denair, California (near Modesto) – is putting a 50 per cent mark-up on the machines for carefully outfitting the cleaners with hidden cameras, that means there will be six DEA max surveillance cleaning machines out there.

Problem solving

It’s actually a pretty smart move: Shop vacs typically have two openings – one that sucks in air and one that blows it out. The truth is that people rarely, if ever, use the blower setting so you could easily fit a camera in there that can see clearly through the hole while being undetectable without close inspection.

And of course, no one thinks anything of a shop vac in an industrial setting. We’re guessing that the people the Superspy Shop-Vac is intended to film spend a lot of time in warehouses.

Alleged dark web drug baron cuffed – after he flew to US for World Beard Championships

READ MORE

The question of course is, where would the air exit from? There would need to be some air coming out of the hole of the vacuum cleaner wouldn’t be usable – it couldn’t provide any suction (we literally just tested this with a Shop-Vac and some duct tape). That where the expertise of Special Services Group comes in, no doubt.

The company pitches itself as a “leading supplier of technical solutions for law enforcement, military and government agencies in the United States of America” and notes that it is “known for our superior products.” Aside from specially modded vacuum cleaners, it’s not clear what those products are, but there are lots of thrusting pictures of men with guns on the site so it’s safe to assume it’s weaponry of some kind.

Anyway, we’re willing to bet that the boys at Special Service Group are already hard at work figuring out how to exit the air so the shop vac works – either around the edges of the camera installed in the blow exit or perhaps out other carefully designed holes.

But while we’re celebrating Special Service Group’s contract win, spare a thought for Cowboy Streetlight Concealments, based in Texas. They also went for the contract, based no doubt on their previous contract wins with the DEA and law enforcement in which they… well, the name kind of gives it away – secretly install cameras in streetlights. Presumably to catch drug dealers on street corners.

But Cowboy Streetlight Concealments didn’t get the gig. Maybe they are trying to branch out from streetlights into other secret camera installations. Why not? That’s where the market is these days. Speed signs, traffic barrels, anything that you don’t notice but in which you can shove a camera.

But what is most amazing about all of this is that it proves every single 1980s crime movie was right: government agents really are posing as cleaners to catch the crooks. Let’s clean up the streets boys – literally. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/dea_vacuum_cleaner/

Hotel-chain turned data faucet Marriott says it will help some customers cover the cost of replacing stolen documents.

The company on Friday confirmed to The Register that customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott’s expense.

“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a spokesperson told El Reg.

“If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”

This after last week’s revelation that half a billion customer records collected over four years of hotel bookings had fallen into the hands of criminals who managed to get into Marriott’s Starwood reservation system.

In addition to encrypted card details, the attackers were able to access customers’ name, mailing address, phone number, email address, passport number, Starwood account number, date of birth, and gender.

Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years

READ MORE

The attackers also would have been able to look at information on when customers stayed with the hotels, though that info would have been of far less value.

Earlier this week, Senator Charles Schumer (D-NY) called on the company to cover the costs of new passports for the customers who have fallen victim to fraudulent activity as a result of the data theft.

“A new passport costs $110. Marriott must personally notify customers at greatest risk,” Schumer Tweeted.

“And Marriott should pay the costs of a new passport for victims who request it.”

Despite the calls for Marriott to cover costs in case of fraud, actually cloning a US passport would require much more than a passport number, as the US State Department recently noted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/marriott_breach_passport/

Analysis You’ve patched your Intel, AMD, Power, and Arm gear to crush those pesky data-leaking speculative execution processor bugs, right? Good, because IBM eggheads in Switzerland have teamed up with Northeastern University boffins in the US to cook up Spectre exploit code they’ve dubbed SplitSpectre.

SplitSpectre is a proof-of-concept built from Speculator, the team’s automated CPU bug-discovery tool, which the group plans to release as open-source software. Their work is described here in an academic paper emitted earlier this week.

Andrea Mambretti, told The Register that he and his Speculator coauthors – Engin Kirda, William Robertson of Northeastern University and IBM’s Matthias Neugschwandtner, Alessandro Sorniotti, and Anil Kurmus – aren’t trying to scare the world with yet more chip vulnerability exploits, but rather want to prise open the secrets of CPU microarchitecture.

The big silicon design houses keep details of the inner mechanisms of their processors under tight wraps, which means discovering speculative execution flaws and suchlike requires a non-trivial amount of reverse-engineering.

Thus, Speculator tries to automate that discovery process. Spec-ex is one of the key drivers of processor speed, which is why CPU engineers and their bosses don’t like to talk about it, in case they spill any secrets to competitors.

Mambertti explained to The Register Speculator came about from “the analysis of common elements of [speculative exexecution] attacks,” and should “help the analysis of new and old attacks.

“SplitSpectre is the result of our analysis, and thanks to Speculator, we could precisely measure the characteristics required for an attack to succeed as well as study general behaviors of the CPU during speculation that before were not known or documented.”

SplitSpectre: If you patched, relax

Speculator was able to find a “novel variation” in the techniques needed to exploit Spectre variant 1 vulnerabilities in processors. These are those flaws you’ve heard so much about, the ones that can be abused by dodgy applications and malware to leak passwords, crypto-keys, secrets, and other data from the computer’s memory that should be off-limits.

This particular variation was dubbed SplitSpectre, and it differs from previous exploits by “requiring a smaller piece of vulnerable code available in the victim’s attack surface.” Spectre exploitation relies on specific sequences of code running in the software you’re trying to spy on. SplitSpectre requires a shorter chain of instructions in its victim, which means code thought to be invulnerable to Spectre may actually be snooped on by this new technique.

Having said that, today’s mitigations for Spectre should thwart this version of SplitSpectre. Future versions may be more successful, or “viable,” as the researchers put it. It is a proof-of-concept of Speculator, after all, and is written in JavaScript to run in Mozilla’s SpiderMonkey JS engine.

One key point is that SplitSpectre can snoop on the underlying JavaScript engine, meaning it could in theory peek at private and sensitive data used by other JavaScript code running at the same time on the engine, say, in other tabs within a browser.

One defense mechanism is to, therefore, securely sandbox browser tabs and windows so that malicious JavaScript cannot snoop on other pages and scripts via Spectre, which is what modern web browsers tend to do now. Again, the point of SplitSpectre is to demonstrate how Speculator can explore and potentially uncover future weaknesses in CPU microarchitectures.

The team’s paper has an illustration of the SplitSpectre technique – pictured right – and explained the nitty-gritty: “A V1 gadget consists of a bounds check and two array accesses … In order to mount a regular Spectre V1 attack, we would require a complete Spectre V1 gadget available in the JavaScript engine. The intuition behind SplitSpectre permits us to relax this requirement and only require the first half of a V1 gadget, i.e. the bounds check and the first array access.”

Mambretti stressed it’s not a browser-reliant exploit, nor reliant on JavaScript. It pretty much affects code running concurrently on a shared interpreter. JavaScript was chosen because it can be embedded in malicious web pages or in emailed documents by miscreants attempting to pull private data out of the underlying environment. It’s a relatively realistic attack scenario, in other words.

“We are only talking about SpiderMonkey and not browsers,” he said in an email. “SplitSpectre crosses the privilege boundary, between attacker-controlled JavaScript and the runtime environment, within the SpiderMonkey engine.”

The paper added: “The attack works … we leak a string of ten characters with a success rate of over 80 per cent, and we leak the full string with a success rate of 10 per cent.”

Mambretti emphasized that a system fully patched against Spectre would be immune to SplitSpectre as it stands. The exploit is not tied to any particular CPU architecture, though the boffins tested their JavaScript on Intel Broadwell and Skylake CPUs, and AMD Ryzen chips. The research didn’t specifically look at Arm-compatible components.

We pinged AMD and Intel for comment. AMD insisted its existing defense mechanisms block SplitSpectre. Intel declined to comment. We understand, though, Chipzilla’s engineers are confident today’s software mitigations defeat SplitSpectre.

Fuzzing the CPU’s performance counter, for fun, and speculative execution

As Mambretti mentioned, the biggest road-bump spec-ex researchers face is that CPU vendors don’t publish enough detail on their microarchitectures. The boffins decided they wanted a “tool whose purpose is to reverse-engineer the behaviour of different CPUs,” so they looked at the signals processors give the outside world that could identify two things: when spec-ex is happening, and, much more difficult, how to use that information to siphon data from memory holding sensitive information.

Speculator’s architecture – click to embiggen

They drilled down on an interface CPU vendors provide to help optimise software: hardware performance counters.

The Speculator paper noted that these counters reveal “microarchitectural state changes such as cache accesses, retired instruction, and mispredicted branches,“ which can be used to “accurately measure microarchitectural state attributes associated to the speculative portion of the execution of user-supplied snippets of code.”

In other words, these counters keep track of how hard the CPU is working behind the scenes, and what exactly it may be up to, so as to maximize the rate of execution; this information can be used to pull off Spectre-based attacks. The kinds of thing Speculator observes in order to sniff out exploitable spec-ex weaknesses include:

• Which code snippets are speculatively executed
• What triggered spec-ex to start and stop
• How specific instructions affect its behavior
• Which security boundaries prevent spec-ex, for example the boundaries between kernel and user mode, and between a runtime engine and interpreted code
• The consistency of CPU behavior within the same architecture or across different architectures.

Running Speculator showed Mambretti and his collaborators how to craft their new technique, SplitSpectre. They focused on instructions that are speculatively executed, but not retired, because those instructions provided insight into architectural side effects, side effects that formed a side-channel from which to lift bytes of private data. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/splitspectre_attack/

A teenage bomb hoaxer from Watford who taunted the UK’s National Crime Agency on Twitter while pretending to be a hacker crew called Apophis Squad has been jailed for three years.

George Duke-Cohan, 19, from the village of Garston, near Watford, just north of London, previously pleaded guilty to making three bomb hoaxes, including one in August against a transatlantic United Airlines flight that resulted in all 295 passengers aboard being exhaustively searched by US police workers after the flight landed.

His Honour Judge Richard Foster, sentencing, said that police investigating the bomb hoaxes had also found a Discord server on which Duke-Cohan used the handles “geor”, “Trident” and “Plexit”.

“You accept responsibility for the hoaxes and claim that you are a psychopath with a history of killing small animals,” said the judge as he prepared to hand down sentence.

Sitting at Luton Crown Court to sentence Duke-Cohan, the judge told the teenager this morning: “You enrolled to study for a Diploma in Information Technology at West Herts College in Watford in September 2016. In October 2017 the college’s website experienced a so-called ‘denial of service’ attack for which you were identified as the perpetrator. Whilst still on that course on 31st January 2018, the college received a bomb threat which was taken seriously – 2,500 students and staff had to be evacuated. You admitted being responsible for the hoax email.”

Duke-Cohan’s bomb threat against United Airlines included him making a phone-call to San Francisco authorities in which he took on “the persona of a worried father and [claimed] his daughter contacted him from the flight to say it had been hijacked by gunmen, one of whom had a bomb,” said the National Crime Agency in a previous statement.

He also emailed “over 1,700 schools and other educational establishments” in March this year “threatening to set off an explosive device if payment was not made as directed”, before calling police two days later “asking for advice because you thought your phone had been hacked, although you denied any involvement in the bomb threats”.

When police arrested him the following day for the bomb threats and examined the contents of one of his mobiles, they found evidence linking him to the Apophis Squad Twitter handle, where he had claimed responsibility “for targeting 24,000 schools in both this country and the USA”.

For sentencing purposes, the judge accepted a forensic psychiatrist’s report which suggested that Duke-Cohan suffers from an autism spectrum disorder, commenting: “[T]o say that this is an excuse for what you have done is an insult to the many thousands of sufferers who lead law abiding lives.”

Dr Tim Rogers, the psychiatrist, found in his report on Duke-Cohan that the teenager “alluded to ordinarily hidden feelings of insecurity, shame, vulnerability and humiliation that had given rise to fantasies of (and a search for) success, power, acclaim from prominent hackers and the achievement of wider online notoriety”.

Describing Duke-Cohan’s “fascination with computer hacking and your motivation of seeking notoriety” as evidence of “[his] high culpability” for his crimes, HHJ Foster sentenced him to three years in prison, of which he must serve half before being released on licence. With approximately three months on remand being taken into account, Duke-Cohan could be out of prison by May 2020.

His computers and devices were ordered to be destroyed and a criminal behaviour order was made. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/george_duke_cohan_sentenced_3_years/

On Wednesday, Genomics England – an ambitious project to map the DNA of a million Brits – proudly announced that it had completed the “100,000 Genomes Project” started in 2013, having sequenced 100,000 whole genomes in the National Health Service (NHS).

The project goal is to improve treatments for patients with rare inherited diseases and cancer, and to uncover new diagnoses. So far, it’s involved the creation of 13 NHS Genomic Medicine Centers (GMCs), a state-of-the-art sequencing center, and an automated analytics platform to return whole genome analyses to the NHS. It’s crunched through 85,000 people’s genomes (participants with cancer have three genomes sequenced: healthy and cancerous cells within their tumor and a third from their blood).

Unfortunately, the servers in those data centers are bare. The Telegraph reports that following a swarm of attacks on the machines holding the data, Genomics England had to shuffle the genomes over to servers at a military base for safekeeping.

Specifically, the data has been tucked away on servers at a Ministry of Defense facility in Corsham, Wiltshire, that’s home to the Joint Forces Command’s Information Systems and Services unit.

This sure isn’t the first data assault endured by the NHS or one of its projects. In 2017, the fast-spreading WannaCry 2.0 ransomware launched its assault against hospitals across the UK before spilling across the globe. More than a third of the NHS was disrupted for days by the WannaCry attack, which cost at least £92 million (around $117 million).

Genomics England Chair Sir John Chisholm said that attacks are a regular thing, but the data is “de-identified” so it can’t be linked to individuals:

Of course we receive attacks, some originating from overseas, and we regularly test to ensure that none succeed.

A key feature of the project is that an individual’s data will not be released. Instead, de-identified data is analyzed by research users within the secure, monitored environment.

None of the well-known viral attacks have succeeded in causing any dysfunction in Genomics England.

The Telegraph talked to Phil Booth, a spokesman for MedConfidential who said that some of the cyber attacks would “almost certainly” have originated in Russia and China and that it’s “no surprise” that people want to drain the database:

Health data is now more valuable than financial data. Criminals, states or companies could use the information to identify people, discriminate against them or even to blackmail them.

It’s no wonder that health data is so valuable. As we’ve noted, DNA collection and genealogy websites have warned that genetic data is extremely sensitive from a privacy perspective: they say that it can be used to predict future medical conditions, reveal information about someone’s family members, or have cultural significance for groups of individuals.

It’s also of great interest to law enforcement, given that investigators don’t need a search warrant to search for DNA matches. That ease of access helped lead to the arrest of a suspected serial killer in April.

From the perspective of criminal profit, the FBI has in the past warned US healthcare providers that crooks were targeting healthcare data with the intent of using it to make fake medical claims or to purchase drugs or medical equipment that can be sold.

In fact, at the time of the 2014 attack on US health insurer Anthem, during which it was drained of 80 million records, medical data was reportedly selling at about $10 per record on underground markets – about 10 times more than credit card data at the time.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/N_ZuUa_ryDg/

Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015.

The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard (NMC) this week. The states, who each have residents affected by the breach, are negotiating a payout with the company.

MIE sells web-based electronic health record services to healthcare providers via NMC’s Webchart web-based portal.

Starting on 7 May 2015, hackers pilfered 3.9 million people’s personal information from MIE’s back-end systems, stealing not only names, addresses and social security numbers but also health data. This included lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and the names and birth statistics of children.

The complaint accuses MIE of failing to properly secure its computer systems, not telling people about its system weaknesses, and then failing to provide timely notifications of the incident.

MIE failed to encrypt sensitive information, even though it said it did, the lawsuit says. It also used test accounts sharing the passwords “tester” and “testing”, established so that a client’s employees didn’t have to log in with a unique user ID.

Pen testers uncovered the issue and highlighted the risk but the lawsuit says that MIE took no action.

One of these test accounts allowed the thieves to explore the health record database with SQL injection attacks, gaining further access to privileged accounts called ‘checkout’ and ‘dcarlson’.

MIE allegedly didn’t have any data exfiltration alarms in place. It was a network performance monitoring alarm that raised the red flag because the attackers dumped records from the database at such volume that it choked off network bandwidth. The attacks continued even while administrators investigated the incident.

When the breach was discovered, MIE only had a draft incident response plan, and there was no evidence that it followed that in any case, the states say.

They add that notifications were inadequate. MIE discovered the breach on 26 May 2015, and informed the public of the breach via a notice on its website on 10 June. The company then began email notifications on 17 July, and finally sent letters in December.

MIE and NMC violated the federal HIPAA legislation protecting the privacy of health information, claim the 12 states. They’re also accusing MIE of breaking 27 state-level laws concerning data breach notification, abusive and deceptive practices, and personal information protection.

The states are proposing a consent decree to clear up the matter before getting into litigation. This calls for an as-yet undefined payout from MIE, along with its commitment to follow several security measures.

These include using multi-factor authentication, not making generic accounts accessible via the internet, using strong passwords, training staff properly in cybersecurity, using a security incident and event monitoring (SIEM) solution, and putting SQL injection attack detection measures in place.

The company will also have to conduct regular security audits with help from a qualified professional, file reports, and take action on them. In short, the settlement asks the company to do what any competent cybersecurity team charged with protecting sensitive data should be doing.

What’s interesting here is the collaborative nature of the settlement. As voices call for stricter federal privacy protection laws, this could be a sign that states are getting fed up with these mega-breaches and are taking things into their own hands.

In October, Uber settled with all 50 states over the handling of its 2016 data breach, paying $148m. Does this latest suit herald more coordination between attorneys general to hold companies accountable?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5yKTgrBmyrA/

VTech, the Hong-Kong-based smart-toy maker has hit another bump in the road.

This time around, it’s a serious security flaw in the software of VTech’s flagship tablet, the Storio Max, which is called the InnoTab Max in the UK. The flaw could allow hackers to remotely take control of the device and spy on the 3- to 11-year-old children for whom it’s marketed.

The vulnerability was discovered earlier this year by Elliott Thompson, a security consultant with the London penetration-testing firm SureCloud. On Wednesday, SureCloud said in a post that Thompson had found a vulnerable service enabled on the tablet that could be exploited by a script placed on a website, where a child could visit it, trigger the flaw and be none the wiser.

An attacker would then gain full root control over the device, including access to its webcam, speakers and microphone. In other words, an attacker could eavesdrop on a child using the tablet or talk to them.

The Max tablets are designed to enable parents to restrict their kids’ access to websites that they’ve personally vetted. The flaw pops a hole in that bubble of trust, given that an attacker could exploit the vulnerability to boobytrap that collection of supposedly “safe” sites.

Luke Potter, cyber-security practice director at SureCloud, told BBC News that it’s easy to exploit once you know where to look:

To find the vulnerability in the first place wasn’t easy. But to actually exploit it once you know it’s there is reasonably simple.

An attack can be accomplished remotely via off-the-shelf malware that can be picked up from criminal marketplaces, he said, and it would be invisible:

Remote access can be gained without the child even knowing. So effectively being able to monitor the child, listen to them, talk to them, have full access and control of the device. For example, we demonstrated viewing things through the webcam.

No attacks… yet

VTech said in a statement that it hasn’t heard of any actual attempt to exploit the vulnerability:

This was a controlled and targeted ‘ethical hack’ by… a sophisticated cyber-firm that was in possession of a detailed knowledge of hacking techniques and InnoTab/Storio Max’s firmware.

We are not aware of any actual attempt to exploit the vulnerability and we consider the prospects of this happening to be remote.

However, the safety of children is our top priority and we are constantly looking to improve the security of our devices.

In May, within 30 days of SureCloud having disclosed the vulnerability, VTech issued a patch.

That doesn’t mean that all the parents of all the tablet-using kids installed the firmware upgrade, though. VTech put a firmware upgrade reminder at the top of its homepage after BBC Watchdog Live flagged the tablet flaw and broadcast news about the issue, the BBC said on Wednesday.

Before that, VTech was just relying on popups that appeared on the devices themselves to get the word out, without explicitly warning customers about the security vulnerability or the risks it posed. After the BBC contacted the company, VTech made the upgrade reminder on its site more explicit and provided an illustrated, step-by-step guide to applying the fix.

According to the BBC, VTech is also contacting retailers that are selling affected units. The company says it’s also emailed European owners who haven’t yet performed the upgrade.

Earlier problems

An intruder claimed to have broken into VTech servers and ripped off data so sensitive that it made them queasy.

With good reason: the intruder claimed to have accessed photos of kids and parents, chat logs and audio files.

The FTC said at the time that the attacker got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, and download histories. The personal data pertained to 4,833,678 parents, the intruder said.

A then-21-year-old UK man was arrested in connection with the intrusion soon after. Fast forward to January 2018, when VTech settled Federal Trade Commission (FTC) charges that the company violated the Children’s Online Privacy Protection Act (COPPA) and the FTC Act.

VTech settled with the FTC for a civil fine of $650,000.

VTech was criticized for its response in the 2015 breach. The toymaker not only (allegedly) lost the data: it also dinged customer confidence by slipping in a tweaked terms and conditions policy that passed the buck for any future breach to its customers, like so:

You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.

At least this time around, VTech shipped an upgrade promptly. It remains to be seen if its response to the tablet vulnerability will keep the FTC happy, though.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CnjaaWCrERY/

If you’re among the holdouts still running Flash, you have some more updating homework to do. Adobe has issued an out-of-band patch after researchers spotted a Flash zero-day flaw being exploited in the wild.

The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent Threat) attack against a healthcare clinic used by Russian Government officials.

Codenamed “Operation Poison Needles” by Qihoo in honour of its medical theme, the attack uses a Word document mocked up to look like a job application questionnaire embedding a Flash Active X control.

Anyone on the receiving end of the attack will receive a phishing email with an attached RAR archive containing the boobytrapped document executing the payload.

The fix

The vulnerability, a use after free flaw, is now identified as CVE-2018-15982 and affects all Flash versions up to and including 31.0.0.153. Patching it on Windows, macOS and Linux, and ChromeOS requires downloading 32.0.0.101.

For good measure, the patch applies a separate fix for CVE-2018-15983, a privilege escalation caused by the insecure library loading of DLLs.

It’s worth noting that Qihoo appears to have spotted it by way of their anti-malware clients, hence the confident designation as an APT connected to the conflict between Ukraine and Russia.

Hacking Team?

ATR speculates that the attack’s “tradecraft and techniques” might connect the latest campaign in some way to the Italian freelancers, Hacking Team, which infamously had a lot of its tools stolen in a 2015 attack.

It’s true that the use of zero-day Flash exploits embedded inside Word documents looks like a calling card (see previous incidents), but this could also simply mean that attackers who got hold of the cache of Hacking Team goodies have saved them up for special occasions.

Naked Security has covered a regular drip (or even a flood) of vulnerabilities and live attacks exploiting Flash in recent times. Vulnerabilities that will almost certainly continue their march until the software is gone once and for all. As Gigamon writes:

Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content.

Our recommendation: remove it from your operating system before deactivating it in browsers that still give you the choice to allow it (Chrome and Edge).

Presumably (and hopefully), organisations and individuals continuing to use something scheduled to expire forever in 2020 do so for a good reason. But whatever that reason may be, as with previous patches and out-of-band updates, the latest Flash zero-day is a reminder to all to move on and stop living so dangerously.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sx_d55jHzSw/